Description
Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Published: 2026-03-24
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: Privilege Escalation via Link Share Hash Disclosure
Action: Patch Immediately
AI Analysis

Impact

The vulnerability allows an attacker who has a read‑only link share to list all link shares for a project and obtain the secret hashes that normally require higher privileges. By retrieving hashes for writes or admin shares, the attacker can authenticate as an administrator and fully control the project. This flaw is a classic example of inappropriate authorization logic (CWE‑285).

Affected Systems

Vikunja, an open‑source self‑hosted task management platform, is affected. All releases before version 2.2.2 are vulnerable. The issue is fixed in version 2.2.2 and later.

Risk and Exploitability

The CVSS base score of 7.5 classifies this as a high‑severity issue, but the EPSS score is below 1 %, indicating low current exploitation likelihood. The vulnerability is not listed in the CISA KEV catalog. Exploitation requires access to a read‑only link share and network access to the Vikunja instance, meaning an attacker can perform the attack remotely if they obtain or guess a legitimate link.

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Vikunja to version 2.2.2 or newer
  • If upgrade is not immediately possible, disable or remove link sharing until the patch is applied

Generated by OpenCVE AI on March 30, 2026 at 14:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-8hp8-9fhr-pfm9 Vikjuna: Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
History

Mon, 30 Mar 2026 13:45:00 +0000

Type Values Removed Values Added
First Time appeared Vikunja
Vikunja vikunja
CPEs cpe:2.3:a:vikunja:vikunja:*:*:*:*:*:*:*:*
Vendors & Products Vikunja
Vikunja vikunja

Fri, 27 Mar 2026 20:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 25 Mar 2026 12:00:00 +0000

Type Values Removed Values Added
First Time appeared Go-vikunja
Go-vikunja vikunja
Vendors & Products Go-vikunja
Go-vikunja vikunja

Tue, 24 Mar 2026 16:00:00 +0000

Type Values Removed Values Added
Description Vikunja is an open-source self-hosted task management platform. Prior to version 2.2.2, the `LinkSharing.ReadAll()` method allows link share authenticated users to list all link shares for a project, including their secret hashes. While `LinkSharing.CanRead()` correctly blocks link share users from reading individual shares via `ReadOne`, the `ReadAllWeb` handler bypasses this check by never calling `CanRead()`. An attacker with a read-only link share can retrieve hashes for write or admin link shares on the same project and authenticate with them, escalating to full admin access. Version 2.2.2 patches the issue.
Title Vikunja Vulnerable to Link Share Hash Disclosure via ReadAll Endpoint Enables Permission Escalation
Weaknesses CWE-285
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Go-vikunja Vikunja
Vikunja Vikunja
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-03-26T19:52:13.837Z

Reserved: 2026-03-23T16:34:59.931Z

Link: CVE-2026-33680

cve-icon Vulnrichment

Updated: 2026-03-26T19:51:36.089Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-24T16:16:35.570

Modified: 2026-03-30T13:42:38.180

Link: CVE-2026-33680

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-30T20:58:05Z

Weaknesses